CVE-2025-12640

Name of the Vulnerable Software and Affected Versions The Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager plugin for WordPress versions up to and including 3.1.5

Description The Folders plugin for WordPress is susceptible to unauthorized arbitrary media replacement. This occurs because of a lack of proper object-level authorization checks within the handle folders file upload() function. Authenticated attackers possessing Author-level access or higher can exploit this to replace any media file within the WordPress Media Library.

Recommendations Versions prior to and including 3.1.5 should be updated to a newer, fixed version of the plugin. As a temporary workaround, consider restricting access to the handle folders file upload() function for users with Author-level access or below.